RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
AppSec & Supply Chain SecurityJune 13, 2022

Survey finds software supply chain security top of mind for dev teams — but tampering detection lags

A survey of more than 300 technology professionals found widespread concern about supply chain attacks, but only sporadic efforts to detect such attacks.

smiling woman with glasses
Carolynn van Arsdale, Writer, ReversingLabs.Carolynn van Arsdale
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
Survey finds software supply chain security top of mind for dev teams — but tampering detection lags

In the wake of attacks like SolarWinds SolarStorm and CodeCov, software supply chain security and tampering (unauthorized malicious software modifications) have risen to the top of security teams’ priority list. With software development teams under pressure to deliver their applications faster than ever before, software teams are leveraging open source and third-party software to deliver applications and services at scale. At the same time, application security has shifted left and become an essential practice for software engineers.

This lengthening of software supply chains has dramatically increased the attack surface that skilled cybercriminals can take advantage of. Software publishers today are concerned not only about delivering features on time, but also that their software might make headlines in the next SolarWinds-style attack.

The question is ‘how aware of supply chain threats are software companies,’ and also ‘what are they capable of doing to stop such attacks?’ To try to answer those questions, ReversingLabs commissioned Dimensional Research to conduct a survey of more than 300 professionals at software publishing companies. The survey revealed deep concerns about the threat of software tampering and attacks on software supply chains. It also highlighted the obstacles and challenges that software firms face as they attempt to detect and block attacks on their software development process.

Here are key takeaways from the survey—as well as key data points that your software security team can take action on to protect your organization from such threats.

Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks

Dev team: We have a problem

Attacks like SolarWinds and CodeCov put software supply chain attacks on the radar of development organizations, our survey reveals. How much so? Fully 98% of those surveyed reported that they believe the use of open source code, 3rd party software, as well as the threat of software tampering are directly increasing their security risk today. A large majority - 87% - recognize that software tampering can result in a security breach at their organization.

87% of respondents know software tampering can cause security breaches, according to an enterprise survey.

And, in a measure of the increasing prominence that supply chain threats now have, the threats posed by open source repositories ranked second only to software vulnerabilities in operating systems and applications when survey respondents were asked what posed the biggest cybersecurity risk to their organization, with 63% of survey takers saying open source posed a risk to their organization. Other supply chain risks such as the inability to detect software tampering also ranked highly with a majority of respondents (51%) saying it posed a risk to their organization.

Bar chart showing top risks: software vulnerabilities, open source threats, software tampering, and CI/CD exposures.

Teams not prepared to stop software tampering

While software professionals across the board understand that the risks posed to their organizations are severe, they are not well poised to defend against such threats, our survey revealed. For example, only 51% of respondents reported their companies can protect their software from 3rd party risk when using open source, commercial solutions, and partner software. That’s a worrying statistic in a threat environment in which cybercriminals are increasingly taking advantage of software dependencies. It is even more concerning when one considers that the reliance on third-party and open source software will only continue to grow.

Among these software professionals, just 37% of software companies indicate they have a way to detect software tampering across their supply chain. Even more concerning: of those that claim to be able to detect tampering, a shockingly low 7% do it at each phase of the software development lifecycle, and just one in three actually check for tampering once an application is final and deployed. The inability to holistically detect tampering, coupled with the prevalent release of software with vulnerabilities, creates a growing new attack vector.

Large “37%” figure with supporting text stating that only 37% of companies can detect software tampering across their supply chain, with a note that less than 10% review code throughout all stages of development.

Code security still a low priority in software development organizations

Overhanging the issue of software supply chain risk is the even larger and more amorphous issue of software security itself. Behind every vulnerable application, third party plugin or open source module is insecure code. And that insecure code is often the product of development organizations at which secure development processes have yet to take hold, or at which code security is a secondary (or tertiary) priority.

That unfortunate reality was laid bare by our survey respondents, 54% of whom acknowledged that their organization releases software with potential security risks. Software vulnerabilities in published code were the rule rather than the exception: 37% of respondents said their companies release software that is subsequently found to contain security vulnerabilities monthly or more frequently. An even higher percentage (63%) admitted that was the case for software their organization releases at least on a quarterly basis.

Donut chart showing survey results about detection of software tampering: 49% said no, 37% said yes, and 14% didn’t know.

Software development organizations need help

It is clear that software companies recognize the risk that attacks on development pipelines and software supply chains pose. But it is equally clear that they lack the bandwidth to meet the security demands of modern DevOps environments.

For example, Software Bills of Materials (SBOMs) have been promoted as a way to track software dependencies and to keep track of the various components within a software package. However, only 27% of software companies generate and review an SBOM today. The reason? 9 in 10 professionals indicated that the difficulty to create and review SBOMs is increasing. When asked why these companies do not generate and review SBOMs, top reasons cited were a lack of expertise (44%) and not being adequately staffed to review and analyze SBOMs (44%). Software companies across the board don’t have the bandwidth internally to properly use this now essential tool.

It’s time to take action

The threat to the software industry is clear, and it’s time for companies to understand the steps they will need to take in order to shore up their defenses. Software companies will have to do a better job of balancing their business goals with security protocols. They’ll also need to turn their awareness of this problem, and their inability to defend against it, into a working plan that utilizes modern and reliable solutions. The threat that cybercriminals pose will only continue to worsen, so the time to act for the software industry is now.

Get the full report: Flying Blind - Firms Struggle to Detect Software Supply Chain Attacks

Keep learning

  • Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
  • Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
  • Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security

More Blog Posts

AI coding racing

Can AppSec keep pace with AI coding?

AI lets software teams generate code at a rate faster than security can validate it. One way to win the race: more AI.

Learn More about Can AppSec keep pace with AI coding?
Can AppSec keep pace with AI coding?
Finger on map

LLMmap puts its finger on ML attacks

Researchers show how LLM fingerprinting can be used to automate generation of customized attacks.

Learn More about LLMmap puts its finger on ML attacks
LLMmap puts its finger on ML attacks
Vibeware bad vibes

Vibeware: More than bad vibes for AppSec

Threat actors are leveraging the freewheeling vibe-coding trend to deliver malicious software at scale.

Learn More about Vibeware: More than bad vibes for AppSec
Vibeware: More than bad vibes for AppSec
CRA accelerates advantage

The CRA is coming: Are you ready?

Here's how the EU's Cyber Resilience Act will reshape the software industry — and how that accelerates advantages.

Learn More about The CRA is coming: Are you ready?
The CRA is coming: Are you ready?

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top